At Adlumin, we are constantly monitoring trends in malware and the capabilities used by threat actors to attack customer networks. Ransomware poses a unique threat to customer environments and businesses as attackers’ use of the technique continually evolves and spreads while payouts increase.
The Threat
Ransomware is a popular method of computer network exploitation, extortion, and a potentially big payday for cybercriminals. In a ransomware attack, malware specializes in detecting local and network-shared user files and then encrypting the victims’ data implanted on a device. Once encrypted, unless there are unaffected backups, the user’s documents and data are rendered inaccessible and unreadable. That is until the victim pays up. Ransomware attackers set up payment portals through the clear, dark web and the bridges between them so that victims can ‘conveniently’ make an online payment to decrypt their files and access their data.
Foundations
While the widespread use of ransomware targeting businesses for financial gain is relatively new, modern examples started to trend in the mid-2000s and picked up in 2013– the first examples can trace their roots back to the 80s – decades before modern times, payment methods like cryptocurrencies existed. In 1989 Joseph Popp authored and deployed the “AIDS Trojan”. This first-of-its-kind malware hid the user’s files, encrypted their names, then displayed a message demanding a $189 payment to “PC Cyborg Corporation” to receive a repair tool under an expired software license. It’s worth noting that this early ransomware sample was vulnerable to extracting the decryption keys from the sample as it used symmetric encryption to encrypt the files. This meant that the same key was used to encrypt and decrypt data which had to be handled by the malware to encrypt the files.
By the mid-90s, researchers had introduced the idea of using public-key cryptography to enable ransomware’s encryption of data without the need to store the decryption keys in the malware, leaving it vulnerable to reverse engineering and key-recovery-based remediation. This was a critical step in the attacker’s ability to ensure decryption keys couldn’t be recovered reliably, and ransomware remained a profitable problem.
In 2006, multiple public-key enabled ransomware families caused trouble in networks worldwide. These attacks weren’t typically pointed at individual targets and often spread through file-sharing platforms. By 2009 ransomware variants had shifted to using secure 1024-bit RSA-driven encryption implementations, which essentially prevented the ability to recover decryption keys through static analysis.
In 2013 ransomware began its modern popularity with the explosion of the CryptoLocker malware. CryptoLocker propagated through a botnet or as an attachment to an email message which appeared to be sourced from a legitimate company. The ZIP file attached to the message contained a Window’s executable disguised as a PDF by changing the executable’s icon. CryptoLocker used public-key encryption to ensure the decryption key was only hosted on the malware command and control server. When paired with strong key strength and algorithms, decryption by means other than payment is impossible. The malware would encrypt files across the local and mapped network drives targeting only specific file extensions such as those associated with Microsoft Office Suite, documents, and images.
Since CryptoLocker, hundreds of ransomware families and variants have been introduced to networks worldwide. Locky followed as a spiritual successor to Crypto lockers; WannaCry affected networks globally and leveraged a zero-day to spread relentlessly across a network, bringing organizations like the British NHS to their knees. Ryuk appeared in 2018 and targeted specific organizations and industries for their deep pockets and ability to pay. Ryuk led to Conti, which recently announced its support of Russia and threatened to deploy “retaliatory measures” if cyberattacks were launched against the country in response to the 2022 Russian invasion of Ukraine. As these attacks grow, we’ve seen considerable impacts on business and industry, such as in the 2021 Colonial Pipeline attack, which led to the shutting down of control systems and oil delivery pipelines, leading to increased prices and limited availability, and panic-buying.
Trends
Adlumin’s Threat Research group has identified two primary trends in ransomware that increase the risk associated with ransomware attacks: the continued shift to ransomware-as-a-service (RaaS) and the growth of data-exposure driven double-extorsion models. These trends represent a widening in ransomware capabilities and prevalence and a decrease in an organization’s ability to control a breach.
Ransomware-as-a-Service (RaaS)
Ransomware as an attacker methodology has grown from initial custom development of tools for individual exploitation campaigns to large-scale availability as a commodity product with the sale of ransomware capabilities taking place on clear and darknet markets. Ransomware capabilities are now available for sale or lease, decreasing the technical capability required to conduct these attacks and lowering the barrier to entry for would-be attackers.
These capabilities can range from costing as little as $20 to thousands depending on the ransomware’s; capabilities, the scope of allowed usage, detection mitigations, automation, exclusivity rights, and inclusion of management or victim portals.
Ransomware has moved from a tailored and unique exploitation method to a pay-for-play access model.
Data Breach & Double-Extortion
Globally, ransomware groups and attacks have started to incorporate more direct extorsion methods – shifting from pay-for-decryption to a combination methodology involving the potential release of stolen, often sensitive, data. To ensure payout from victims, attackers have had to mitigate the impact increased defenses and updated cyber best practices have had on ransomware.
A defensive shift in segmenting devices and services to prevent lateral infection and the ability to restore from otherwise unaffected backups on non-critical systems have lessened businesses’ potential need to pay ransom to recover from an attack. To ensure their operations remain profitable, attackers have begun stealing data from companies and ransoming the possible public release of the stolen data. Such data might include customer PII, payment information, or business secrets – and public release of that data may have severe reputational, business, financial, and regulatory impacts on the affected business, further increasing the cost of a single breach.
This data exposure or “Double Extorsion” tactic means the attackers can choose to require two ransoms – one to decrypt the data and another to delete the data stolen before encryption. The potential release of data is an intense pressure to pay for victims who may not even know what information was stolen.
Explosive Growth
Ransomware as an attacker capability and exploitation method has experienced explosive growth since the introduction of cryptocurrency payments and continued profitable attacks. According to the FBI’s Internet Crime Complaint Center (IC3), CISA reported, ransomware incidents continue to rise, with 2,474 incidents reported for all of 2020 and 2,084 complaints between January and July of 2021 alone, a doubling of reported incidents. The cost and ransom amount have also grown with a 225 increase in ransom demands, and victims are on track to hit over $40M in losses.
What You Can Do
Your business or organization isn’t helpless in preventing ransomware attacks and limiting their impact when they make it past defenses. In a joint 2022 release by cybersecurity authorities in the United States, Australia, and the United Kingdom which included the FBI, the Cybersecurity and Infrastructure Agency (CISA), and the National Security Agency (NSA) – authorities recommended multiple best practices for protecting your network:
Keep all operating systems and software up to date If you use RDP or other potentially risky services, secure and monitor them closely. Implement a user training program and phishing exercises Require MFA Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to have strong, unique passwords. Using Linux, use a Linux security module (such as SELinux, AppArmor, or SecComp) for defense in depth. Protect cloud storage by backing up to multiple locations, requiring MFA for access, and encrypting data in the cloud. Segment Networks help prevent the spread of ransomware by controlling traffic flows between – and access to – various subnetworks by restricting adversary lateral movement. Implement end-to-end encryption, which can prevent eavesdropping on communications, which, in turn, can prevent cyber threat actors from gaining insights needed to advance a ransomware attack. A network-monitoring tool identifies, detects, and investigates abnormal activity and potential traversal of the indicated ransomware. Document external remote connections. Enforce the principle of least privilege through authorization policies. Reduce credential exposure. Disable unneeded command-line utilities; constrain scripting activities and permissions, and monitor their usage. Maintain offline (i.e., physically disconnected) backups of data and regularly test backup and restoration Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure Collect telemetry from cloud environments